I am working on a site and I am using MySQL. I have a file that accesses the database with a password. Right now the password is just saved in plain text in the file but as you guys should know this is not secure. What is the best way of having this be secure? Or should I just make sure the permissions are locked down on it? Obviously sites that use SQL should have a password on their SQL servers but how do they securely do so?
Forum Thread: How Do Sites Keep Their SQL Passwords?
- Hot
- Active
-
Forum Thread:
How to Setup Utopia Mining Bot? Utopia VM or Sandbox Tutorial
1
Replies
4 hrs ago -
Forum Thread:
How to Setup Utopia Mining Bot? Utopia VM or Sandbox Tutorial
0
Replies
10 hrs ago -
Forum Thread:
Kali Linux
1
Replies
11 hrs ago -
Forum Thread:
Hacking into Whatsapp Series, Part 2: Phishing.
4
Replies
11 hrs ago -
Forum Thread:
Creating an Completely Undetectable Executable in Under 15 Minutes!
34
Replies
13 hrs ago -
Forum Thread:
Need Help Getting Proxys to Work on Kali Linux :( (Noob)
0
Replies
17 hrs ago -
Forum Thread:
Can I Bypass Activation Lock on Iphone Without Email?
2
Replies
20 hrs ago -
Forum Thread:
t14m4t - Automated Brute-Forcing Attack Tool.
0
Replies
21 hrs ago -
UNCLEAR:
Root User Account Kali Linux/Raspberry Pi 3 B+ (Change?/How to Change?)
0
Replies
1 day ago -
Forum Thread:
Gaining Access into the Victim's Whatsapp on Android
11
Replies
1 day ago -
Forum Thread:
Should Null Byte Start a YT Playlist for Better Understanding of Hacking Processes??
0
Replies
2 days ago -
Forum Thread:
AWUS036NHA TX Power Problem
8
Replies
2 days ago -
Forum Thread:
Installing Kali Stuck at Configure the Network
1
Replies
3 days ago -
Forum Thread:
HACK ANDROID with KALI USING PORT FORWARDING(portmap.io)
0
Replies
3 days ago -
Forum Thread:
How to Hack School Website
4
Replies
3 days ago -
How to:
HACK Android Device with TermuX on Android | Part #1 - Over the Internet [Ultimate Guide]
133
Replies
3 days ago -
Forum Thread:
Instagram Crawler - Flow (Part 2)
0
Replies
4 days ago -
Forum Thread:
Instagram Crawler - Setting Things Up (Part 1)
0
Replies
4 days ago -
Forum Thread:
Should I Buy Gopro Hero 8 or Not?
0
Replies
6 days ago -
Forum Thread:
How to Restart Meterpreter Session???
14
Replies
6 days ago
-
How To:
Share Wi-Fi Adapters Across a Network with Airserv-Ng
-
Android for Hackers:
How to Turn an Android Phone into a Hacking Device Without Root
-
How To:
4 Ways to Crack a Facebook Password & How to Protect Yourself from Them
-
How To:
Crack Wi-Fi Passwords with Your Android Phone and Get Free Internet!
-
How To:
Buy the Best Wireless Network Adapter for Wi-Fi Hacking in 2019
-
How To:
Get Unlimited Free Trials Using a "Real" Fake Credit Card Number
-
How to Hack Wi-Fi:
Get Anyone's Wi-Fi Password Without Cracking Using Wifiphisher
-
Hack Like a Pro:
How to Hack Facebook (Facebook Password Extractor)
-
How To:
Hack Android Using Kali (Remotely)
-
How to Hack Wi-Fi:
Stealing Wi-Fi Passwords with an Evil Twin Attack
-
How To:
Crack Any Master Combination Lock in 8 Tries or Less Using This Calculator
-
How To:
Load Kali Linux on the Raspberry Pi 4 for the Ultimate Miniature Hacking Station
-
How To:
Check if Your Wireless Network Adapter Supports Monitor Mode & Packet Injection
-
How To:
Hack a Windows 7/8/10 Admin Account Password with Windows Magnifier
-
How to Hack Wi-Fi:
Cracking WPA2 Passwords Using the New PMKID Hashcat Attack
-
Hack Like a Pro:
How to Get Facebook Credentials Without Hacking Facebook
-
How To:
Use Google to Hack(Googledorks)
-
How To:
Hack WPA & WPA2 Wi-Fi Passwords with a Pixie-Dust Attack Using Airgeddon
-
How To:
Enumerate SMB with Enum4linux & Smbclient
-
How To:
Easily Detect CVEs with Nmap Scripts
8 Responses
Hi which language are you using to connect to the database? if you are using php then the best way to store your username and password would be in a seperate connection.php file it doesn't matter that it is in plain text as you cant view php code like you can html source your best way to be secure would be to make sure that the user that connects from the site only has the permissions that it needs I hope this helps
It depends on the language you're writing in. In your connection code, you should at least consider encrypting the MySQL password in the state you have saved as text (so the password its self is not human readable), and decrypt it in memory during init. Obfuscation is another simple step you can take when dealing with code that does not compile to help keep the undetermined out (for a starters, don't name your file "connection.php"). While the text of your source code is typically safe if you've locked down your environment, you never know when a new exploit may be discovered that could give someone access to the files that contain your connection string. A skilled programmer will probably still figure it out fairly easily if determined to get in... But at least the bots/script kiddies won't. Hopefully in such an event, the extra hoops will buy you enough time to change your passwords.
Thank you two. It is in python. I am thinking about having a file that only the account the scripts are running on can read it. That should help.
Yes. Also wise to lock down MySQL to run on a non standard port and only accept connections from your web server (or a private VIP if running on the same machine). All speedbumps, but buying time in case of an intruder is wise.
I already have the server itself locked down, also only allows accepting from localhost and changed the port to outside of 10,000. If you know the workings of nmap you know why.
Here is how most sites do it. They use a thing called a hash. A hash is like an encryption, but it is a one-way encryption. This means it is impossible to decrypt without brute forcing (trying every possible combination of something until you get a hash matching the one you just stole from a database, if you're a hacker). Think of it like this: 1 + 2 = 3. So sure, we know 1 + 2 and 2 + 1 both equal 3. But which combination was the original password. Hashes are like this in the sense that they cannot be decrypted. However, with this logic, both 1 + 2 and 2 + 1 could be considered to be the correct password. This is why hashes are much larger, and much more complex. So basically, the chances of two passwords producing the same hash are almost non-existent. So how does this all work? Well, when a user registers, they input a password. Your php code will then convert the plain text into a hash. For the longest time, and even today, MD5 has been used. But the most secure will be something like SHA or SHA2, but the idea is the same. So the person enters their password, the code converts it to a hash. The hash is stored in the database. When the user logs in, the password they input is converted into a hash. The same password means the same hash will be generated, so you just compare the hash made from the login password with the hash in the database. Are they the same? If so, the password is correct. This, of course, has a downside. If a user forgets their password, the ONLY WAY to fix it is to reset the password to something random, give that random password to the user (usually via email), and then tell the user to log in and immediately change their password. Also, what others have said about properly securing the databases also applies. Someone with enough computing power could use software to brute force a password from the hashes. Of course, doing so would take a VERY long time.
While that's a great first step in storing user passwords (hopefully most sites at least use a salt as well to help mitigate rainbow tables), OP was asking about how to securely store the password his/her code uses to connect to the DB in the first place.
Yes I know how to hash and yes my database does hash things.
Share Your Thoughts